Commit Graph

186 Commits

Author SHA256 Message Date
Reinhard Max
2d8afe69b8 - Security update 9.10.3-P3:
* CVE-2016-1285, bsc#970072: assert failure on input parsing can
    cause premature exit.
  * CVE-2016-1286, bsc#970073: An error when parsing signature
    records for DNAME can lead to named exiting due to an assertion
    failure.
  * CVE-2016-2088, bsc#970074: a deliberately misconstructed packet
    containing multiple cookie options to cause named to terminate
    with an assertion failure.

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=190
2016-03-11 13:59:03 +00:00
Reinhard Max
abbe73be65 - Security update 9.10.3-P3 fixes two assertion failures that can
lead to remote DoS:
  * CVE-2016-1285, bsc#970072
  * CVE-2016-1286, bsc#970073

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=189
2016-03-11 13:55:29 +00:00
0f06af6f9d Accepting request 361463 from home:bmwiedemann:branches:network
- drop a changing timestamp making build reproducible

OBS-URL: https://build.opensuse.org/request/show/361463
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=187
2016-02-26 07:55:47 +00:00
Lars Müller
fd2b586269 Sligthly enhance the last commmit
- \ at the last option line allows us to keep the full history
- a tab is no a space

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=186
2016-02-12 21:48:50 +00:00
Lars Müller
9508d45935 Accepting request 359100 from home:elvigia:branches:network
- Build with --with-randomdev=/dev/urandom otherwise 
  libisc will use /dev/random to gather entropy and that might
  block, short read etc..

OBS-URL: https://build.opensuse.org/request/show/359100
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=185
2016-02-12 19:11:31 +00:00
Reinhard Max
c7dc2ebf4f - Security update 9.10.3-P3:
* Specific APL data could trigger an INSIST (CVE-2015-8704,
    bsc#962189).
  * Certain errors that could be encountered when printing out or
    logging an OPT record containing a CLIENT-SUBNET option could
    be mishandled, resulting in an assertion failure
    (CVE-2015-8705, bsc#962190).
  * Authoritative servers that were marked as bogus (e.g.
    blackholed in configuration or with invalid addresses) were
    being queried anyway.

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=183
2016-01-20 11:04:34 +00:00
Reinhard Max
7c65773c2b OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=181 2015-12-21 17:51:47 +00:00
Reinhard Max
5f956be5fc - Update to version 9.10.3-P2 to fix a remote denial of service by
misparsing incoming responses (CVE-2015-8000, bsc#958861).

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=180
2015-12-21 17:12:31 +00:00
Reinhard Max
ee28860376 Accepting request 336332 from home:jengelh:branches:network
- Avoid double %setup, it confuses some versions of quilt.
- Summary/description update

OBS-URL: https://build.opensuse.org/request/show/336332
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=178
2015-10-05 07:46:26 +00:00
Lars Müller
f17cebd7c5 Accepting request 332971 from home:msmeissn:branches:network
- Update to version 9.10.2-P4
  * An incorrect boundary boundary check in the OPENPGPKEY
    rdatatype could trigger an assertion failure.
    (CVE-2015-5986) [RT #40286] (bsc#944107)
  * A buffer accounting error could trigger an
    assertion failure when parsing certain malformed 
    DNSSEC keys. (CVE-2015-5722) [RT #40212] (bsc#944066)

OBS-URL: https://build.opensuse.org/request/show/332971
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=176
2015-09-22 20:15:47 +00:00
Lars Müller
f94eebf621 - Update to version 9.10.2-P3
Security Fixes
  * A specially crafted query could trigger an assertion failure in message.c.
    This flaw was discovered by Jonathan Foote, and is disclosed in
    CVE-2015-5477. [RT #39795]
  * On servers configured to perform DNSSEC validation, an assertion failure
    could be triggered on answers from a specially configured server.
    This flaw was discovered by Breno Silveira Soares, and is disclosed
    in CVE-2015-4620. [RT #39795]
  Bug Fixes
  * Asynchronous zone loads were not handled correctly when the zone load was
    already in progress; this could trigger a crash in zt.c. [RT #37573]
  * Several bugs have been fixed in the RPZ implementation:
    + Policy zones that did not specifically require recursion could be treated
      as if they did; consequently, setting qname-wait-recurse no; was
      sometimes ineffective. This has been corrected. In most configurations,
      behavioral changes due to this fix will not be noticeable. [RT #39229]
    + The server could crash if policy zones were updated (e.g. via
      rndc reload or an incoming zone transfer) while RPZ processing
      was still ongoing for an active query. [RT #39415]
    + On servers with one or more policy zones configured as slaves, if a
      policy zone updated during regular operation (rather than at startup)
      using a full zone reload, such as via AXFR, a bug could allow the RPZ
      summary data to fall out of sync, potentially leading to an assertion
      failure in rpz.c when further incremental updates were made to the zone,
      such as via IXFR. [RT #39567]
    + The server could match a shorter prefix than what was
      available in CLIENT-IP policy triggers, and so, an unexpected
      action could be taken. This has been corrected. [RT #39481]
    + The server could crash if a reload of an RPZ zone was initiated while

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=174
2015-07-29 19:36:46 +00:00
Lars Müller
5693887a0c - Update to version 9.10.2-P2
- An uninitialized value in validator.c could result in an assertion failure.
    (CVE-2015-4620) [RT #39795]
- Update to version 9.10.2-P1
  - Include client-ip rules when logging the number of RPZ rules of each type.
    [RT #39670]
  - Addressed further problems with reloading RPZ zones. [RT #39649]
  - Addressed a regression introduced in change #4121. [RT #39611]
  - The server could match a shorter prefix than what was available in
    CLIENT-IP policy triggers, and so, an unexpected action could be taken.
    This has been corrected. [RT #39481]
  - On servers with one or more policy zones configured as slaves, if a policy
    zone updated during regular operation (rather than at startup) using a full
    zone reload, such as via AXFR, a bug could allow the RPZ summary data to
    fall out of sync, potentially leading to an assertion failure in rpz.c when
    further incremental updates were made to the zone, such as via IXFR.
    [RT #39567]
  - A bug in RPZ could cause the server to crash if policy zones were updated
    while recursion was pending for RPZ processing of an active query.
    [RT #39415]
  - Fix a bug in RPZ that could cause some policy zones that did not
    specifically require recursion to be treated as if they did; consequently,
    setting qname-wait-recurse no; was sometimes ineffective. [RT #39229]
  - Asynchronous zone loads were not handled correctly when the zone load was
    already in progress; this could trigger a crash in zt.c. [RT #37573]
  - Fix an out-of-bounds read in RPZ code. If the read succeeded, it doesn't
    result in a bug during operation. If the read failed, named could segfault.
    [RT #38559]

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=172
2015-07-10 20:54:40 +00:00
Lars Müller
2d26a35729 Change log line wrapping.
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=170
2015-06-18 13:14:58 +00:00
755db9e738 Accepting request 311393 from home:guohouzuo:freeipa
Fix inappropriate use of /var/lib/named for locating dynamic-DB plugins.
Dynamic-DB plugins are now loaded from %{_libexecdir}/bind, consistent with openSUSE packaging guideline.
Install additional header files which are helpful to the development of dynamic-DB plugins.

Please note that - the so-far only implementation of dyanmic-DB plugin does not support running in chroot environment very well, there is great performance impact in doing so.

OBS-URL: https://build.opensuse.org/request/show/311393
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=169
2015-06-18 12:30:16 +00:00
Lars Müller
1ea9273bb0 This change set makes bind build again for SLE 11 too.
- Depend on systemd macros and sysvinit on post-12.3 only.
- Create empty lwresd.conf at build time.
- Reduce file list pre-13.1.

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=167
2015-05-08 18:11:21 +00:00
Lars Müller
44ffc351bb - Update to version 9.10.2
- Handle timeout in legacy system test. [RT #38573]
  - dns_rdata_freestruct could be called on a uninitialised structure when
    handling a error. [RT #38568]
  - Addressed valgrind warnings. [RT #38549]
  - UDP dispatches could use the wrong pseudorandom
    number generator context. [RT #38578]
  - Fixed several small bugs in automatic trust anchor management, including a
    memory leak and a possible loss of key state information. [RT #38458]
  - 'dnssec-dsfromkey -T 0' failed to add ttl field. [RT #38565]
  - Revoking a managed trust anchor and supplying an untrusted replacement
    could cause named to crash with an assertion failure.
    (CVE-2015-1349) [RT #38344]
  - Fix a leak of query fetchlock. [RT #38454]
  - Fix a leak of pthread_mutexattr_t. [RT #38454]
  - RPZ could send spurious SERVFAILs in response
    to duplicate queries. [RT #38510]
  - CDS and CDNSKEY had the wrong attributes. [RT #38491]
  - adb hash table was not being grown. [RT #38470]
- Update bind.keyring
- Update baselibs.conf due to updates to libdns160 and libisc148

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=166
2015-05-08 15:44:01 +00:00
Lars Müller
fa2687cc7a Accepting request 305950 from home:guohouzuo:freeipa
- Enable export libraries to support plugin development.
  Install DNSSEC root key.
  Expose new interface for developing dynamic zone database.
  + dns_dynamic_db.patch

OBS-URL: https://build.opensuse.org/request/show/305950
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=165
2015-05-08 14:24:45 +00:00
a72d9724b3 Accepting request 285468 from home:k0da:branches:network
- PowerPC can build shared libraries for sure.
  idnkit-powerpc-ltconfig.patch

OBS-URL: https://build.opensuse.org/request/show/285468
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=163
2015-02-11 12:29:20 +00:00
Andrey Karepin
4d1f101c72 added mistakenly deleted row (Request 266520)
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=161
2015-01-11 18:19:25 +00:00
Andrey Karepin
43ba3368ef Accepting request 266520 from home:jengelh:branches:network
- Explicitly BuildRequire systemd-rpm-macros since it is used
  for lwresd %post etc. Then drop pre-12.x material.
  Remove configure.in.diff2.

OBS-URL: https://build.opensuse.org/request/show/266520
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=160
2015-01-11 16:14:25 +00:00
Lars Müller
ce7779f753 Add lost hyphen to minimize diff with the submit request to factory.
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=158
2014-12-11 15:29:03 +00:00
Lars Müller
70eef698ee Accepting request 264794 from home:jengelh:branches:network
- Corrections to baselibs.conf
Just merge my changes properly already.

OBS-URL: https://build.opensuse.org/request/show/264794
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=157
2014-12-11 14:46:49 +00:00
Lars Müller
24da4f54fa Accepting request 264596 from home:lmuelle:bind
- Update to version 9.10.1-P1
  - A flaw in delegation handling could be exploited to put named into an
    infinite loop.  This has been addressed by placing limits on the number of
    levels of recursion named will allow (default 7), and the number of
    iterative queries that it will send (default 50) before terminating a
    recursive query (CVE-2014-8500); (bnc#908994).
    The recursion depth limit is configured via the "max-recursion-depth"
    option, and the query limit via the "max-recursion-queries" option.
    [RT #37580]
  - When geoip-directory was reconfigured during named run-time, the
    previously loaded GeoIP data could remain, potentially causing wrong ACLs
    to be used or wrong results to be served based on geolocation
    (CVE-2014-8680). [RT #37720]; (bnc#908995).
  - Lookups in GeoIP databases that were not loaded could cause an assertion
    failure (CVE-2014-8680). [RT #37679]; (bnc#908995).
  - The caching of GeoIP lookups did not always handle address families
    correctly, potentially resulting in an assertion failure (CVE-2014-8680).
    [RT #37672]; (bnc#908995).

OBS-URL: https://build.opensuse.org/request/show/264596
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=156
2014-12-09 22:47:11 +00:00
c38019450e Accepting request 264325 from home:lmuelle:bind
Merge request 264305:

- Convert some hard PreReq to leaner Requires(pre).
- Typograhical and orthographic fixes to description texts.

Changes already present with request 264243:

- Fix bashisms in the createNamedConfInclude script.
- Post scripts: remove '-e' option of 'echo' that may be unsupported
  in some POSIX-compliant shells.

- Add openssl engines to the lwresd chroot.
- Add /etc/lwresd.conf with attribute ghost to the list of files.
- Add /run/lwresd to the list of files of the lwresd package.
- Shift /run/named from the chroot sub to the main bind package.
- Drop /proc from the chroot as multi CPU systems work fine even without it.

OBS-URL: https://build.opensuse.org/request/show/264325
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=155
2014-12-08 08:18:17 +00:00
c1eb80a9c7 - Removed pid-path.diff
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=154
2014-12-05 10:58:49 +00:00
932f848950 Accepting request 264083 from home:lmuelle:bind
- Add a versioned dependency when obsoleting packages.

- Remove superfluous obsoletes *-64bit in the ifarch ppc64 case; (bnc#437293).

- Fix gssapi_krb configure time header detection.

- Update root zone (dated Nov 5, 2014).

- Update to version 9.10.1
  - This release addresses the security flaws described in CVE-2014-3214 and
     CVE-2014-3859.
- Update to version 9.10.0
- Update to version 9.9.6

  Cf the bind changes file for all the details of 9.9.6 till 9.10.1.

- Remove merged rpz2+rl-9.9.5.patch and obsoleted rpz2+rl-9.9.5.patch
- Update baselibs.conf (added libirs and library interface version updates).

OBS-URL: https://build.opensuse.org/request/show/264083
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=153
2014-12-05 10:12:05 +00:00
Lars Müller
e179acbc40 Accepting request 261547 from home:dimstar:gpg2
OBS-URL: https://build.opensuse.org/request/show/261547
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=152
2014-11-14 10:36:34 +00:00
Reinhard Max
dab82c1e27 Accepting request 253555 from home:jengelh:branches:network
the IDN parts are totally optional

OBS-URL: https://build.opensuse.org/request/show/253555
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=151
2014-10-16 14:25:14 +00:00
Andrey Karepin
48ca52dcbe Accepting request 248172 from home:WernerFink:branches:network
- Require systemd-rpm-macros at build

OBS-URL: https://build.opensuse.org/request/show/248172
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=149
2014-09-12 05:49:00 +00:00
Reinhard Max
c0a72d4f0b Accepting request 248035 from home:WernerFink:branches:network
- Use the systemd service macros to make sure init scripts are
  registered properly (bnc#894627)

OBS-URL: https://build.opensuse.org/request/show/248035
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=148
2014-09-08 14:06:56 +00:00
Reinhard Max
27153bee19 - Version 9.9.5P1 also fixes a problem with zone transfers on
multicore machines (bnc#882511).

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=147
2014-09-03 11:44:55 +00:00
Reinhard Max
40916246e7 - Version 9.9.5P1 also fixes orphan mode (bnc#883859).
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=146
2014-09-03 11:40:39 +00:00
ed559646e6 Accepting request 243329 from home:lmuelle:branches:network
- Package dnssec-checkds and dnssec-coverage binaries and man pages only on
  post-11.1 systems.

- Update to version 9.9.5P1
  Various bugfixes and some feature fixes. (see CHANGES files)
  Security and maintenance issues:
  - [bug] Don't call qsort with a null pointer. [RT #35968]
  - [bug] Disable GCC 4.9 "delete null pointer check". [RT #35968]
  - [port] linux: libcap support: declare curval at start of block. [RT #35387]
- Update to version 9.9.5
  Various bugfixes and some feature fixes. (see CHANGES files)
- Updated to current rpz patch from·http://ss.vix.su/~vjs/rrlrpz.html
  - rpz2-9.9.4.patch
  + rpz2+rl-9.9.5.patch

OBS-URL: https://build.opensuse.org/request/show/243329
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=144
2014-08-01 11:43:42 +00:00
Sascha Peilicke
03789a4890 Accepting request 235970 from home:computersalat:devel:network
add stuff for DNSSEC validation to named.conf

OBS-URL: https://build.opensuse.org/request/show/235970
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=142
2014-06-02 09:09:36 +00:00
b25ceb6024 Accepting request 235320 from home:elvigia:branches:network
- Build with LFS_CFLAGS in 32 bit systems.

OBS-URL: https://build.opensuse.org/request/show/235320
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=141
2014-06-01 10:06:10 +00:00
Reinhard Max
8dac1c49a4 Re-sync changes file with SLE12.
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=139
2014-05-08 10:01:10 +00:00
Reinhard Max
9927c8db29 Accepting request 233009 from home:oertel:branches:network
- use %_rundir macro

OBS-URL: https://build.opensuse.org/request/show/233009
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=138
2014-05-08 09:51:15 +00:00
Reinhard Max
f40daf517b - Add the sdb-ldap backend module (fate#313216).
- Details can be found here:
  * http://bind9-ldap.bayour.com/
  * http://bind9-ldap.bayour.com/dnszonehowto.html

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=136
2014-01-24 10:15:48 +00:00
Reinhard Max
6fa65ad99d unfuzz rpz2-9.9.4.patch
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=135
2014-01-21 17:29:39 +00:00
Reinhard Max
2280b862ef - Update to version 9.9.4P2
* Fixes named crash when handling malformed NSEC3-signed zones
    (CVE-2014-0591, bnc#858639)
  * Obsoletes workaround-compile-problem.diff
- Replace rpz2+rl-9.9.3-P1.patch by rpz2-9.9.4.patch, rl is now
  supported upstream (--enable-rrl).

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=134
2014-01-21 17:09:17 +00:00
Reinhard Max
f61744ed46 Remove createNamedConfInclude~
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=132
2013-12-09 13:33:42 +00:00
Reinhard Max
c13e4cf96e Fix creation of /etc/named.conf.include .
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=131
2013-12-09 12:23:41 +00:00
Reinhard Max
e0efd1bf47 - Systemd doesn't set $TERM, and hence breaks tput (bnc#823175).
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=129
2013-08-07 15:23:09 +00:00
Reinhard Max
b255a507e5 - Systemd doesn't set $TERM, and hence breaks tput.
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=128
2013-08-07 15:21:50 +00:00
Reinhard Max
ef9b332868 - Improve pie_compile.diff (bnc#828874).
- dnssec-checkds and dnssec-coverage need python-base.
- disable rpath in libtool.

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=127
2013-08-06 13:06:41 +00:00
Reinhard Max
2e7cad6b7d dnssec-checkds and dnssec-coverage need python-base for building.
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=126
2013-08-06 09:11:23 +00:00
Reinhard Max
28ef07b698 - Update to 9.9.3P2 fixes CVE-2013-4854, bnc#831899.
* Incorrect bounds checking on private type 'keydata' can lead
    to a remotely triggerable REQUIRE failure.

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=125
2013-08-05 14:51:21 +00:00
Reinhard Max
8e89b870e6 - Remove non-working apparmor profiles (bnc#740327).
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=123
2013-07-24 15:38:10 +00:00
918e706647 - the README file is not a directory, drop the dir attribute
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=121
2013-07-17 12:09:28 +00:00
67378e3874 - moved dnssec-* helpers to bind-utils package. bnc#813911
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=119
2013-06-27 09:27:34 +00:00